1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to a behavior-blocking system and method.
2. Description of the Related Art
Conventional immune systems such as the Digital Immune System (DIS) by IBM utilize antivirus scanners and heuristics to look for suspicious file content. Once suspicious file content is identified, client system users provide filebased submissions of suspicious file content to a global analysis center.
The global analysis center generates a malicious code signature based on the users' submissions. More particularly, the malicious code signature is based on replication of filebased computer viruses only, i.e., viruses that infect files. The malicious code signature is sent back to the client systems.
Since the conventional immune systems are based on replication of filebased computer viruses only, the conventional immune systems does not detect or protect against fileless malicious code, e.g., fileless worm code.
One type of network based intrusion detection system (IDS) such as Symantec ManHunt™ network intrusion detection system is capable of detecting fileless malicious code. This type of network based IDS uses a protocol analyzer module to detecting anomalies associated with the fileless malicious code based on knowledge of the known set of network protocols.
Unfortunately, a large set of attacks can be carried out successfully using protocols not yet known to the protocol analyzer module. Further, even if the anomalies and fileless malicious code are detected, the attack might be 100 percent successful at the time of detection. For example, the Win32/Slammer type worm is detected as UDP_FLOOD_ALERT based on high UDP traffic on the network, well after the attack has become successful.
Another type of network based intrusion detection system such as snort is also capable of detecting fileless malicious code. This type of network based IDS uses a network sniffer module, which looks for particular known signatures on the network. However, if there is no known signature for the fileless malicious code, the attack may be entirely undetected by this type of network based IDS. Thus, this type of network based IDS must be updated frequently to remain effective.
Unfortunately, the signature updates for the fileless malicious code are currently developed by security analysts after carefully analyzing samples of the fileless malicious code. This analysis of the fileless malicious code is relatively slow. Accordingly, it often takes hours or days until new signature updates are created by the security analysts and provided to the network based IDS. During this time, the fileless malicious code may be widespread.